Use speling erors 0r unconv3ntional spell1ng f4r add3d complexyti. Or! some unusal? pun-ct. Uation?
Why on earth does it need to be a grammatically correct phrase?
I find the phrase: âMary had a little lambâ just as easy to remember as the less grammatically correct and more unusual âpassrambleâ: âlamb a little mary hadâ!
This diffuses any natural language attack vectors in exchange for the slight inconvenience of having a less readable passphrase.
Although I am no expert in natural language processing, iâve learned that the problem of reducing a search space to grammatically correct phrases is no easy (even complete) task so itâs not an immediate worry anyway.
Interested parties in passphrases might want to inspect this site which has some good comparisons of the various attack costs on passwords:
http://www1.umn.edu/oit/security/passwordattackdiscussion.html
1 Like
dfdsfdsfdsfdf
very good
I agree with usage of passphrase over password, it seems more safe and it is hacker free. Easy to remember
I think the real reason that people donât use pass phrases is those damned password/phrase masking âbulletsâ that make you type blind.
If Iâm only typing a word, or a word plus a digit/symbol, I can deal with the bullet obfuscation. But when you start to go onto multiple words or sentences itâs just too much.
Hell, I can barely type a few sentences correctly when I can see the words (how many times do you go back and correct errors without thinking about it?), take away that ability and the chance of errors - real or perceived - goes up.
If you really want people to use pass phrases, get rid of the stupid password-masking bullets, as Jakob Nielsen said here in âStop Password Maskingâ http://www.useit.com/alertbox/passwords.html
One thing you seem to forget is that people are also inherently LAZY. Typing a 25-character pass-phrase does not appeal to most common users. This also makes for some calls to tech support when there is 1 typo made in the pass-phrase.
Couldnât disagree more. A pass-phrase introduces no real new bits of entropy. âThe quick brown foxâ is a 4 letter/item password with one of the âlettersâ being very common âtheâ. This does nothing to increase security in a world where crackers have billions of passwords to analyse for these types of patterns. Simply think of each word as a single ASCII character, a single item from a dictionary, with a few morphs to include common special character substitutions itâs easy to brute force pass-phrases. They are nothing more than passwords with long âcharactersâ.
p.s. Your discourse signup system fails to send confirmation emails.
I have been learning how to develop websites using the Yii framework and spent the last four days reading everything I can on passwords how to store them (securely) in a database. The concept of pass phrases has grabbed my attention. As an addition to the topic:
for ones personal use
1- Create you own personal rules for mis$pel!ing words.
2- Donât use the space bar. camelCaseWorksForMe (and misspell)
As a developer
1- I like the idea of explaining to users the importance of secure passwords and the concept of using pass phrases, offering some examples, and doing so right in the login form (perhaps with a link to an essay by you with links to other pages on the subject)
2- offer a checkbox to get rid of password bullets (reminding the user to make sure no one is looking over their shoulder).
3- employ a password strength meter.
and finally- I will be reassuring users that I will be storing their password securely, especially so if the password (ahemâŚpass phrase) is 12 character or longer.
I know this is old but why not prepend your favorite password to your passphrase?
It could be like:
ST4230 + im still angry spock died
Then dictionary attacks wouldnât work and neither would bruteforcing.
Rainbow tables might do it but it would take a pretty large one to have âST4230imstillangryspockdiedâ.
1 Like
It depends on how the attack vector would be, a passphrase the same length as a password would have lower entropy assuming you know itâs just a phrase. However, if you donât know that it is âjust a phraseâ then youâd still need to scan through the whole set.
In addition passphrases should ideally be longer than a typical password.
The main issue I have with pass phrases is legacy system support in enterprise systems and how they require you to abide by their password rules in order for it to sync up up with their mainframe accounts.
XKCD makes this exact point. Four randomly chosen common English words actually have much higher entropy than a single word with common substitutions, and are easier for most people to remember. Of course, if the password is an actual phrase or a quote, then the entropy is much lower and there are still possible attack vectors. Unfortunately, many modern security systems wonât let you do this, as they will not allow passwords that contain dictionary words.
1 Like